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Abstract. We study classes of Dynamic Programming (DP) algorithms 

which, due to their algebraic definitions, are closely related to coefficient 

r) I extraction methods. DP algorithms can easily be modified to exploit 

r \ . sparseness in the DP table through memorization. Coefficient extraction 

• ' techniques on the other hand are both space-efficient and parallelisable, 

Y? , but no tools have been available to exploit sparseness. We investigate the 

systematic use of homomorphic hash functions to combine the best of 
these methods and obtain improved space-efficient algorithms for prob- 
lems including LINEAR SAT, SET PARTITION, and SUBSET SUM. 
^ • Our algorithms run in time proportional to the number of nonzero entries 

yi^ I of the last segment of the DP table, which presents a strict improvement 

over sparse DP. The last property also gives an improved algorithm for 
CNF SAT with sparse projections. 
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Coefficient extraction can be seen as a general method for designing algorithms, 
recently in particular in the area of exact algorithms for various NP-hard prob- 
lems [314114116115^5] (cf. [g^B] for an introduction to exact algorithms). The 
approach of the method is the following (see also |15)): 

1. Define a variable (the so-called coefficient) whose value (almost) immediately 
gives the solution of the problem to be solved, 

2. Show that the variable can be expressed by a relatively small formula or 
circuit over a (cleverly chosen) large algebraic object like a ring or field, 

3. Show how to perform operations in the algebraic object relatively efficiently. 

In a typical application of the method, the first two steps are derived from an 
existing Dynamic Programming (DP) algorithm, and the third step deploys a 
carefully selected algebraic isomorphism, such as the discrete Fourier transform 
to extract the desired solution/coefficient. Algorithms based on coefficient extrac- 
tion have two key advantages over DP algorithms; namely, they are space-efficient 
and they parallehse well (see, for example, ^^). 



Yet, DP has an advantage if the problem instance is sparse. By this we 
mean that the number of candidate/partial solutions that need to be considered 
during DP is small, that is, most entries in the DP table are not used at all. In 
such a case we can readily adjust the DP algorithm to take this into account 
through memorization so that both the running time and space usage become 
proportional to the number of partial solutions considered. Unfortunately, it 
is difficult to parallelise or lower the space usage of memorization. Coefficient 
extraction algorithms relying on interpolation of sparse polynomials |17| improve 
over memorization by scaling proportionally only to the number of candidate 
solutions, but their space usage is still not satisfactory (see also [26]). 

This paper aims at obtaining what is essentially the best of both worlds, by 
investigating the systematic use of homomorphisms to "hash down" circuit-based 
coefficient extraction algorithms so that the domain of coefficient extraction - 
and hence the running time - matches or improves that of memorization-based 
DP algorithms, while providing space-efficiency and efficient parallelisation. The 
key idea is to take an existing algebraic circuit for coefficient extraction (over a 
sparsely populated algebraic domain such as a ring or field), and transform the 
circuit into a circuit over a smaller domain by a homomorphic hash function, 
and only then perform the actual coefficient extraction. Because the function 
is homomorphic, by hashing the values at the input gates and evaluating the 
circuit, the output evaluates to the hash of the original output value. Because 
the function is a hash function, the coefficient to be extracted collides with other 
coefficients only with negligible probability in the smaller domain, and coefficient 
extraction can be successfully used on the new (hashcd-down) circuit. We call 
this approach homomorphic hashing. 

Our and previous results 

We study sparse DP/coefficient extraction in three domains: (a) the univariate 
polynomial ring ¥[x] in Section[3l (b) the group algebra F[Z2] in Section|4]and (c) 
the Mobius algebra of the subset lattice in Section [5l The subject of sparse DP 
or coefficient extraction is highly motivated and well-studied |7|8|17|28] . In [17] , 
a sparse polynomial interpolation algorithm using exponential space was already 
given for (a) and (b); our algorithms improve these domains to polynomial space. 
In J14j a polynomial-space algorithm for finding a small multilinear monomial 
in ¥[1^2] '^8'S given. In [16] a general study of settings (a) and (b) was initiated, 
but sparsity was not addressed. Our main technical contribution occurs with (c) 
and hashing down to the "Solomon algebra" of a poset. 

Our methods work for general arithmetic circuits similarly as in |14I16I17] . 
and most of our algorithms work for counting variants as well. But, for concrete- 
ness, we will work here with specific decision problems. Although we mainly give 
improvements for sparse variants of these problems, we feel the results will be 
useful to deal with the general case as well (as we will see in Section 2]). 

Subset Sum The Subset Sum problem is the following: given a vector a — 
(ai,...,a„) and integer t, determine whether there exists a subset X C [n] 



such that J2eex «e = t- It is known to be solvable 0*(2"/2) time and 0^(2"/4) 
space J12I21] . and solvmg it faster, or even in 0*(1.99") time and polynomial 
space are interesting open questions j26j . Recently, a polynomial space algorithm 
using 0*{t) time was given in [T5] . 

Theorem 1 An instance {a,t) of the Subset Sum problem can be solved 

(a) in 0*{S) expected time and polynomial space, and 

(b) in 0*{S'^) time and polynomial space, 

where S is the number of distinct sums, i.e. S = HX^eGX o-e '■ X C [n]}\ . 

Here it should be noted that standard sparse DP gives an 0*{S) time and 
space algorithm. Informally stated, our algorithms hash the instances by working 
modulo randomly chosen prime numbers and applying the algoritm of |16| . While 
interesting on their own, these results may be useful in resolving the above open 
questions when combined with other techniques. 

Linear Sat The Linear Sat problem is defined as follows: given a matrix A G 
Zj*^™, vectors b G Z™ and u) e N", and an integer t = n^'^'^\ determine whether 
there is there a vector a; G Zj such that xA = b and u)x^ < t. 

Variants of Linear Sat have been studied, perhaps most notably in [llj . 
where approximability was studied. In |2I6| the Fixed Parameter Tractability 
was studied for parameterizations of various above guarantees. There, it was also 
quoted from [TT] that (a variant of) Linear Sat is "as basic as satisfiability" . 

It can be observed that using the approach from [T^], Linear Sat can be 
solved in 0(2"/^m) time and 0(2"/^m) space. Also, using standard "sparse 
dynamic programming", it can be solved in 0*{2'^^^^^) time and 0*(2'^^^^^) 
space, where rk(A) is the rank of A. We obtain the following polynomial-space 
variants: 

Theorem 2 An instance {A,b,uj,t) o/Linear Sat can be solved by algorithms 
with constant one-sided error probability in 

(a) 0*{2'^^^ ') time and polynomial space, and 

(b) C'*(2"/^) time and polynomial space. 

The first algorithm hashes the input down using a random linear map and 
afterwards determines the answer using the Walsh-Hadamard transform. The 
second algorithm uses a Win/Win approach, combining the first algorithm with 
the fact that an A with high rank can be solved with a complementary algorithm. 

Satisfiability The CNF-Sat problem is defined as follows: given a CNF-formula 
4> ~ Ci A C2 A . . . A Cm over n variables, determine whether is satisfiablc. 
There are many interesting open questions related to this problem, a major one 
being whether it can be solved in time 0*((2 — e)") (the 'Strong Exponential 
Time Hypothesis' [13] states this is not possible), and another being whether the 



number of satisfying assignments can be counted in time 0*((2 — e)") for some 
e > (e.g. HU). 

A prefix assignment is an assignment of 0/1 values to the variables vi, . . . ,Vi 
for some 1 < i < n. A projection (prefix projection) of a CNF-formula is a subset 
TT C [771] such that there exists an assignment (prefix assignment) of the variables 
such that for every 1 < j < to it satisfies Cj if and only if j G tt. An algorithm 
for CNF-Sat running in time linear in the number of prefix projections can be 
obtained by standard sparse DP. However, it is sensible to ask about complexity 
of CNF-Sat if the number of projections is small. Wc give a positive answer: 

Theorem 3 Satisfiability of a formula (j) — Ci A . . . A Cm can be determined in 
0*{P^) time and 0*{P) space, where P = |{7r C [ra] : tt is a projection of (j)}\. 

We are not aware of previous work that studies instances with few projections. 
Although most instances will have many projections, we think our result opens 
up a fresh technical perspective that may contribute towards solving the above 
mentioned and related questions. 

Underlying Theorem |3] is our main technical contribution (Theorem llGp that 
enables us to circumvent partial projections and access projections directly, 
namely homomorphic hashing from the Mobius algebra of the lattice of sub- 
sets of [m] to the Solomon algebra of a poset. A full proof of Theorem [12] is 
given in the appendix; we give a specialized, more direct proof of Theorem [3] in 
Section 5. 

The proofs of claims marked with a "f are relegated to the appendix in 
order to not break the flow of the paper. 

2 Notation and Preliminaries 

Lower-case boldface characters refer to vectors, while capital boldface letters 
refer to matrices, I being the identity matrix. The rank of a matrix A is denoted 
by rk(A). If R and S are sets, and S is finite, denote by R^ the set of all |S'|- 
dimensional vectors with values in R, indexed by elements of S, that is, iiv € R^ , 
then for every e G 5 we have Ve £ R- We denote by Z and N the set of integers 
and non-negative integers, respectively, and by Zp the field of integers modulo a 
prime p. An arbitrary field is denoted by F. 

For a logical proposition P, we use Iverson's bracket notation [P] to denote 
a 1 if P is true and a if P is false. For a function h : A ^ B and b G B, the 
preimage h~^{b) is defined as the set {a € A : h{a) = b}. For an integer n and 
yl C {1, . . . , n}, denote by x(A) G Z2 the characteristic vector of A. Sometimes 
we will state running times of algorithms with the O* notation, which suppresses 
any factor polynomial in the input size. 

For a ring R and a finite set S, we write R^ for the ring consisting of the 
set R^ (the set of all vectors over R with coordinates indexed by elements of 5") 
equipped with coordinate-wise addition + and multiplication o (the Hadamard 
product), that is, for a,b G R and a + b — c, a o b = d we set az + bz = Cz 
and azbz = dz for each z € S, where + and the juxtaposition denote addition 



and multiplication in R, respectively. The inner-product a,b Q R^ is denoted by 
a^ ■ b. For v G R^ denote by supp(tj) C S the support of v, that is, supp(u) = 
{z ^ S : Vz ^ 0}, where is the additive identity element of R. A vector v is 
called a singleton if |supp(t;)| = 1. We denote by {w, z) the singleton with value 
w on index z, that is, {w, z) = wly = z\ for all y ^ S. 

If _R is a ring and (5, •) is a finite semigroup, denote by R\S\ the ring consisting 
of the set R^ equipped with coordinate-wise addition and multiplication defined 
by the convolution operator *, where for a, b G R^ , a * b = c we set c^ = 

Y.x-y=z 0-x^v fo^ every z G S. 

If R, S are rings with operations (+, *) and (©, ®) respectively, a homomor- 
phism from R to S is a function h : R ^ S such that h{ei + £2) = h{ei) © h{e2) 
and /i(ei * 62) = h{ei) ® h{e2) for every ei, 62 G i?. 

Observation 4 Let R be a ring, and let (S, •) and (T, 0) 6e finite semigroups. 
Suppose ip : S ^ T such that for every x,y ^ S we have ip{x ■ y) = ip{x) ip{y)- 
Then the function h : R[S] — >■ R[T] defined by h : a ^-^ b where b, =^ 
for all z ^T is a homomorphism. 
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A circuit C over a ring i? is a labeled directed acyclic graph D = {V, A) 
where the elements of V are called gates and D has a unique sink called the 
output gate of C . All sources of C are called input gates and are labeled with 
elements from R. All gates with non-zero in-degree are labeled as either an 
addition or a multiplication gate. (If multiplication in R is not commutative, the 
in-arcs of each multiplication gate are also ordered.) Every gate g oi C can be 
associated with a ring element in the following natural way: If g is an input gate, 
we associate the label of g with g. If g is an addition gate we associate the ring 
element ei + . . . + Cd with g, and if g is a multiplication gate we associate the 
ring element ei * . . . * e^ with g where ei, . . . , e^ are the ring elements associated 
with the d in-neighbors of g, and + and * are the operations of the ring R. 

Suppose the ground set of R is of the type A^ where A, B are sets. Then C 
is said to have singleton inputs if the label of every input-gate of C is a singleton 
vector of R. 

Definition 5 Let R and S be rings, let h : R ^f S be a homomorphism, and 
suppose that C is a circuit over R. Then, the circuit h{C) over S obtained by 
applying h to C is defined as the circuit obtained from C by replacing for every 
input gate the label I by h{l). 

Note that the following is immediate from the definition of a homomorphism: 

Observation 6 Suppose C is a circuit over a ring R with output v E R. Then 
the circuit over S obtained by applying a homomorphism h : R -^ S to C outputs 
h{v) G S. 

3 Homomorphic Hashing for Subset Sum 

In this section we will study the Subset Sum problem and prove Theorem[TJ As 
mentioned in the introduction, it should be noted that this merely serves as an 



illustration of how similar problems can be tackled as well since the same method 
applies to the more general sparse polynomial interpolation problem. However, 
to avoid a repeat of the analysis of [TB], we have chosen to restrict ourselves 
to the Subset Sum problem. Our central contribution over [TB] is that we take 
advantage of sparsity. 

Given a G N" and an integer p£N, let c^ : N" -^ N" be defined by 
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< X C [n] : ^ fle = j (modp) \ 



for every j G Zp. 
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We also use the shorthand c{a) = c°°{a). We use a corollary from [TO] : 

Corollary 7 (f.[16|) Given an instance {a,t) o/ SUBSET SuM and an integer 
p, d'{a)t can be computed in 0*{p) time and 0*{1) space. 

We will also need the following two results on primes: 

Theorem 8 ( j20j ) // 55 < u, then the number of prime numbers at most u is 
at least -, — ^^-tt. 

Lemma 9 (f, Folklore) There exists an algorithm pickpriine(u) running in 
polylog(u) time that, given integer u > 2 as input, outputs either a prime chosen 
uniformly at random from the set of primes at most u or notf ound. Moreover, 
the probability that the output is notf ound is at most -. 

We will run a data reduction procedure similar to the one of Claim 2.7 in 
[TU] . before applying the algorithm of Corollary [T] The idea of the data reduction 
procedure is to work modulo a prime of size roughly |supp(c(a))| or larger: 

Lemma 10 Let S > |supp(c(a))| and let /? be an upper bound on the num- 
ber of bits needed to represent the integers, i.e. 2" > max{i,maxi a;}. Then, 
Probp [c(a)( = cP{a)t] > \, where the probability is taken uniformly over all 
primes p < S'/3n(log/3)(logn). 

Proof. Suppose c{a)t ^ cP{a)t. Then there exists an integer u G supp(c(a)) such 
that u ^ t and u = t (mod p). This implies that p is a divisor of |i — w|, so let us 
bound the probability of this event. Since |i — u| < 2^n, it has at most (3 + logn 
distinct prime divisors. Let 7 = S'/3n(log/3)(logn). It is easy to check that for 
sufficiently large /3 and n: 

Probp[p divides \t 



< 


/3 + log n 

7 


< 


;3 + log n 

7 


< 


1 

25 




log 7+2 


3(n+log/3) 



where we use Theorem [5] in the first inequality and S < 2" in the second in- 
equality. Applying the union bound over the at most S elements of supp(c(a)), 
the event that there exists a u G supp(c(a)) with u ^ t and u = t (mod p) has 
probability at most i. D 



Now we give two algorithms utilizing liomomorphic hashing, one for the case 
where S is known, and one for the case where S is not known. 

Theorem 11 There exists an algorithm that, given an instance {a,t) of the 
Subset Sum problem and an integer S > |supp(c(a))| as input, outputs a non- 
negative integer X in 0*{S) time and polynomial space such that (i) x = implies 
c{a)t = and (ii) Prob[c(a)t = x] > i. 

Proof. The algorithm is: First, obtain prime p = pickprime(S'/37i(log/3)(logn)) 
using LemmaO Second, compute and output c^{a)t using Corollary[7l Condition 
(i) holds since c^{a)t = implies c{a)t = for any p,t. Moreover, condition (ii) 
follows from Lemma [TU] and Lemma P since ^(1 — i) > j. The time and space 
bounds arc met by Corollary [7] because p ~ 0*{S). D 

Proof (of Theorem\^a) ) . The algorithm is the following: Maintain a guess S of 
supp(c(a)), initially set to n. Obtain a prime p = pickprime(S'/3ri,(log/3)(logri)) 
using Lemma m and compute cP{a)t using Corollary [71 If c^{a)t = output 
no since c{a)t = 0; otherwise, attempt to construct a subset X C [n] such 
that X^eex "e = t using self-reduction. If this succeeds, return yes. Otherwise, 
double S and repeat. The expected running time (taken over all primes p) is 
0*(supp(c(a))) because when S > supp(c(a))/3n(log/3)(logn) the probability of 
succcsfuUy constructing a solution or concluding that none exist is at least ^ by 
the arguments in the proof of Lemma 1101 D 

The dcrandomization for Theorem [TJb) is given in the appendix. 



4 Homomorphic Hashing for Linear Satisfiability 

In this section we assume that F is a field of non-even characteristic and that 
addition and multiplication refer to operations in F. For s G N, we denote by 
* G F^2^^2 the Walsh- Hadamard matrix, defined for all x,y <E Z?2 by ^x,y = 

Lemma 12 (Folklore) The Walsh- Hadamard matrix satisfies $$ = 2^1 and, 
for every f,g£ ^[^2]' ** holds that (/ =1= g)$ = /$ og$. 

We first prove the following general theorem, of which Theorem [UJa) is a 
special case. 

Theorem 13 There exists a randomized algorithm that, given as input 

1. a circuit C with singleton inputs over F[Z2], 

2. an integer S > |supp(t))|, and 

3. an element t £ 1,2, 

outputs the coefficient vt G ¥ with probability at least ^ where v G F[Z2] is 
the output of C . The algorithm runs in time 0*{S) and uses 0*{S) arithmetic 
operations in F, and requires storage for 0*{1) bits and elements of¥. 
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Algorithm hashZ2 
1: Let s= [log^l+l. 
2: Choose a matrix H G ^2^" uniformly at random from the set of all s x n matrices 

with binary entries. 
3: Let h : ¥[1,2] — ^ ^[Zl] be the homomorphism defined by h{a) = b where b^i = 

'}2yez"vH=!E '^y ^'^^ ^^1 ^ ^ ^2- Apply /i to C to obtain the circuit C\. 
4: return ^ ^ (_i)(*«)-^ sub(Ci,a;). 



2" 



Algorithm sub(Ci,a;) 
5: Let ip : ¥[1,2] — >■ F be the homomorphism defined by ifiiw) = Yl ga(— 1)" 

for all w £ F[Z|]. Apply (/? to Ci to obtain the circuit C2. 
6: Evaluate C2 and return the output. 



Algorithm 1: Homomorphic hashing for Theorem [T51 



Proof. The algorithm is given in Algorithm [T] Let us first analyse the complexity 
of this algorithm: Steps 1 and 2 can be performed in time polynomial in the input. 
Step 3 also be done in polynomial time since it amounts to relabeling all input 
gates with h{e) where e was the old label. Indeed, we know that e <S ^[^2] is 
a singleton {v,y), so h{e) is the singleton {v,yH) and this can be computed 
in polynomial time. Step 4 takes 0*{S) operations and calls to sub, so for the 
complexity bound it remains to show that each call to sub runs in polynomial 
time. Step 5 can be implemented in polynomial time similar to Step 3 since the 

T 

singleton e = (w,y) is mapped to (—1)'"^ v. Finally, the direct evaluation of C2 
uses IC2I operations in F. Hence the algorithm meets the time bound, and also 
the space bound is immediate. 

The fact that hashZ2 returns vt with probability at least 2 is a direct conse- 
quence of the following two claims. Let w be the output of Ci. 

Claim 1 (t) Probjf [wt = wtn] > \- 

Claim 2 (|) Algorithm hashZ2 returns wtn- 



Proof (of Theorem [^ a)). For 1 < i < n and < w < t denote by A''^ the ith 
row of A and define f[i,w] e Q[Z^] by 

if i = w = 0, 

if i = and w ^ 0, (l) 

f[i — l,j — iOi] * (l, A^^' ) otherwise. 




It is easy to see that for every l<i<ri,0<it;<i, and y G Z™, the value 
f[i, w]y is the number of a; G Zj such that u)x^ — t and xA — y where ui and 
A are obtained by truncating a; and A to the first i rows. Hence, we let C be 



the circuit implementing [T] and let its output he v = J2w=q fi''^^^]- Thus, Vb is 
the number of a; G Zj with xA = b and xu)'^ < t. 

Also, |supp(?;)| < 2'''*'^^^ since any element of the support of v is a sum of 
rows of A and hence in the row-space of A, which has size at most 2'''^'^'. To 
apply Theorem [131 let F = Q and observe that the computations are in fact 
carried out over integers bounded in absolute value poly-exponentially in n and 
hence the operations in the base field can also be executed polynomial in n. The 
theorem follows from Theorem 1131 D 

To establish Theorem [2jb) , let us first see how to exploit a high linear rank 
of the matrix A in an instance of Linear Sat. By permuting the rows of A as 
necessary, we can assume that the first rk(A) rows of A are linearly independent. 
We can now partition x into x = {y,z), where y has length rk(j4) and z has 
length n — rk{A). There are 2"~'''^(^) choices for z, each of which by linear 
independence has at most one corresponding y such that xA = b. Given z, 
we can determine the corresponding y (if any) in polynomial time by Gaussian 
elimination. Thus, we have: 

Observation 14 Linear Sat can be solved in C)*(2"~'''^'^^) time and polyno- 
mial space. 

This enables a "Win/Win approach" where we distinguish between low and 
high ranks, and use an appropriate algorithm in each case. 

Proof (of Theorem\^h)). Compute rk(A). If rklA) > n/2, run the algorithm of 
Observation HM Otherwise, run the algorithm implied by Theorem [21[a) . D 

Set Partition We now give a very similar application to the Set Partition 
problem: given an integer t and a set family J^ C 2^ where |J^| = n, \U\ = m, 
determine whether there is a subfamily V '^ J- with \V\ < t such that UseP ^ ~ 

Uandj:s^^\S\ = \U\. 

The incidence matrix of a set system [U^J-) is the \U\ x |J^| matrix A whose 
entries A^s — [^ G S] arc indexed by e G [/ and S £ J-. 

Theorem 15 (|) There exist algorithms that given an instance (U^J-',t) of Set 
Partition output the number of set partitions of size at most t with probability 
at least ^, and use (a) 0*{2'^^^^) time and polynomial space, and (b) (2'''^'- ■* + 
n)m^^' time and space, where A is the incidence matrix of {U,J-). 

5 Homomorphic Hashing for the Union Product 

In this section our objective is to mimic the approach of the previous sec- 
tion for N[(2^,U)], where (2^,U) is the semigroup defined by the set union 
U operation on 2^^, the power set of an n-element set U . The direct attempt 
to apply a homomorphic hashing function, unfortunately, fails. Indeed, let h 
be an arbitrary homomorphism from (2*^,0) to (2^,U) with \V\ < \U\. Let 
U ~ {ei, 62, . . . , e„} and consider the minimum value 1 < j < n — 1 with 



/i({ei, . . . , e^}) = U^=i/i({ei}) = U^=i /i({ei}) = h{{ei, . . . , ej+i}); in particular, 
for X = {ei, . . . , Cj, ej+2, • ■ • , e„} 7^ C/ we have /i(X) = h{U), which signals 
failure since we cannot isolate X from U. 

Instead, we use hashing to an algebraic structure based on a poset (the 
"Solomon algebra" of a poset due to [52]) that is obtained by the technique 
"Iterative Compression". This gives the following main result. For reasons of 
space we relegate a detailed proof to the appendix; here we will give a simplified 
version of the proof in the special case of Theorem [3] in this section. 

Theorem 16 (|) Let and \U\ ~ n. There are algorithms that, given a circuit C 
with singleton inputs in N[(2'^,U)] outputting v, compute 

(a) a list with vx for every X g supp(tj) in C'*(|supp(v)p • n^^') time, 

(h) vu in time C)*(2(i-"/2)"nO(i)) i/O < a < 1/2 such that |supp(t>)| < 2(1-")". 

The above result is stated for simplicity in the unit-cost model, that is, we 
assume that arithmetic operations on integers take constant time. For the more 
realistic log-cost model, where such operations arc assumed to take time poly- 
nomial in the number of bits of the binary representation, we only mention here 
that our results also hold under some mild technical conditions. Let us first show 
that Theorem [3l[a) indeed is a special case of Theorem [T6l 

Proof (of Theorem\^. Use a circuit over N[(2[™1,U)] that implements the ex- 
pression 

/ = ((1, Fi) + (1, Fi)) * ((1, V2) + (1, V2))*...* ((1, K„) + (1, 14)), 

where Vi C [m] (respectively, Vi C [m]) is the set of all indices of clauses that 
contain a positive (respectively, negative) literal of the variable Vi. Then use 
Theorem [12] to determine /r,„i , the number of satisfying assignments of (p. D 

Now we proceed with a self-contained proof Theorem [3] Given poset (P, <), 
the Mobius function /i:PxP— >NofPis defined for all x, y G P by 

if X = y, 

<y<z m(J/' ^) if ^ < ^' (2) 

otherwise. 

The zeta transform ^ and Mobius transform fi are the \P\ x \P\ matrices defined 
by Cx,y = [x '^ y] and fi^.y ~ fJ.{x, y) for all x,y £ P. For a CNF-forniula (j) 
denote supp(0) for the set of all projections of cj). Recall in Theorem [3] we are 
given a CNF- Formula (f> = C^ A . . . A C™ over n variables. For i = 1, . . . ,m define 
cfi.i = Ci A . . . A Ci. Then we have the following easy observations 

1. supp((/.o) = {0}, 

2. supp((/)i) C supp((/)i_i) L}{XU{i} : X e supp(0i_i)} for every i = 1, . . . , m, 

3. |supp(0i_i)| < |supp((/ij)| for every i = 1, . . . , m. 
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Given the above lemma and observations, we will give an algoritm using a 
technique called iterative compression |19] . As we will see, by this technique it 
is sufficient to solve the following "compression problem" : 

Lemma 17 Given a CNF-formula (f) — Ci A. . . A Cm and a set family F C 2 1™' 
with supp((/)) C J^ J the set supp((/)) can be constructed in 0*(\J-\'^) time. 

Proof. In what follows a G {0, 1}" refers to an assignment of values to the n 
variables in (f). Define / £ N^ for all X C [m] by 

fx = \{a e {0, 1}" : Vi £ [m] it holds that a satisfies Ci iff i g X}|. 

It is easy to see that supp(/) = supp(0), so if we know fx for every X G J^ we 
can construct supp((/!)) in |J^| time. Towards this end, first note that for every 
Y C [m] it holds that 

{fOr = E /(^) = E /(^) 

XGsupp(/) xcy 

XQY 

= \{a £ {0, 1}" : Vi £ [m] it holds that a satisfies Ci only if « £ F}|. 

Second, note that the last quantity can be computed in polynomial time: since 
every clause outside Y must not be satisfied, each such clause forces the variables 
that occur in it to unique values; any other variables may be assigned to arbitrary 
values. That is, the count is if the clauses outside Y force at least one variable 
to conflicting values, otherwise the count is 2° where a is the number of variables 
that occur in none of the clauses outside Y . 

Now the algorithm is the following: for every X £ F compute {fC)x in poly- 
nomial time as discussed above. Then we can use algorithm mobius as described 
below to obtain fx for every X € T since it follows that / = niobius((J^, C), f(^) 
from the definition of fi and the fact that fiQ = I. Algorithm mobius clearly 
runs in C'*(|Pp) time, so this procedure meets the claimed time bound. 



Algorithm mobius((P, <), ty) 






1 


Let P — {vi , U2 . . . , «|p| } such that Vi 


<v. 


implies i > j. 


2 


z <— w. 






3 


for i = 1,2,..., \P\ do 






4 


for every Vj < Vi do 






5 


Zi = Zi- Zj 






6 


return z. 







D 

Proof (of Theorem\^ self-contained). Recall that we already know that supp((/)o) = 
{0}. Now, for i = 1, . . . ,m we set P = supp((/)i_i) U {X U {i} : X £ supp(0i_i)} 
and use J- to obtain supp((/)i_i) using Lemma [T71 In the end we are given 
supp((^m) and since 4>m is exactly the original formula, the input is a yes-instance 
if and only if [m] £ supp(</)m). The claimed running time follows from Observa- 
tions 1 and 3 above and the running time of algorithm mobius. D 
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Set Cover We will now give an application of Theorem fWb) to Set Cover: 
Given a set family 7^ C 2^^ where \U\ = n and an integer k, find a subfamily 
C C J" such that |C| = fc and Usee ^ = [/. 

Theorem 18 Given an instance of Set Cover, let < a < 1/2 be the largest 
real such that HUsec S : C Q J^ A \C\ = k}\ < 2^^~°''". Then the instance can be 
solved in O* {2^^~°''^>'^n'~'^^') time (and exponential space). 

Proof. Let J-^ — {Si, . . . , 5m}, and for every 1 < i < m and 1 < j < n define 
f[i,j] as follows: 

\/b - l-:?'] + fb - l,:/' - 1] * (li'S'j) otherwise. 

It is easy to see that for every X C U we have that f[i,j]x is the number of 
C C {Si, . . . , Si} such that \C\ ~ j and Usee S ^ X. Hence the theorem follows 
directly by applying Theorem I16f b) by interpreting the above recurrence as a 
circuit in order to determine the value f[m,k]ij. D 
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APPENDIX 

A Omitted proofs 

A.l Proofs omitted in Section [3] 

Proof of Corollary [7] For the proof wc use the following result as a blackbox: 

Theorem 19 ([16]) Given an instance {a,t) of Subset Sum, c{a)t can be 
computed in 0*{t) time and 0*{1) space. 

Proof (of Corollary^. By reducing modulo p we can assume that ai, . . . , a„, i < 
p. We have 

n n 

cP{a)t = ^ c{a), = ^c{a)t+jp, 

i=t[n\odp) i— 

where the first equality holds by definition and the second equality follows from 
the fact that c{a)i = when i > np ot Q < i. The latter expression can be 
evaluated in the claimed resource bounds using Theorem [191 D 

Proof of Theorem [9] Take an integer i < u uniformly at random, and check 
whether it is a prime using the polynomial time algorithm of [T]. If i is prime, 
then output i and halt; otherwise repeat. If no prime is found after ln(u) + 2 
repetitions, output notf ound and halt. The upper bound on the probability of 
failure follows from Theorem [5] since the probability that notf ound is returned 
is at most (1 - (ln(M) + 2)~i)i"(")+2 < i. 

Proof of Theorem [l](b)) Let /3 = [logmax{i,maxi a^}]. Call a prime p had 
if c{a)t ^ c^{a)t. Analoguously to the proof of Lemma [TOl there are at most 
(/3+ [log n] )S bad primes. Let pi, . . . ,p; be the first I prime numbers in increasing 
order where I = 2(/3 + [log77])S' + 1. Since there are only (/3 + [logri])S' bad 
primes, the majority of the set of integers {c^*(a)t}i<i<; will be equal to c{a)t. 
Then use the folklore Majority voting algorithm [5] as in Algorithm lA.il 

The correctness follows from the above discussion and the correctness of the 
majority voting algorithm [5] that is folklore and implemented in the algorithm. 
For the running time, note that pi is 0*{S) by Theorem[8]and hence the running 
time is 0*{S'^) since Step 6 takes time 0*{S). It is clear that the algorithm can 
be implemented using polynomial space. 

A. 2 Proofs omitted in Section |4] 

Proof of Claim [l] For every a, b e N[Z^] wc have (a + b)H = aH + bH 

and hence h is easily seen to be a homomorphism by Observation |4l Thus, by 
Observation [5] we know that w = h{v), that is, for every 2; £ Z| 

W^^ Y^ Vy. 
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M,C,i,j^O. 
while i < I do 

i ^ J + 1 

if the deterministic primality testing from |l] returns tliat j is prime then 
i •(- i + 1; Pi ^ j 

Compute c^'-[a)t using Corollary [T] 
if M = then 

else if d''-{a)t — C then 

M ^ M + 1 
else 

M ^ A/ - 1 
return C 



Hence, if Vt 7^ WtH, there must exist y € supp(i;) such that y ^t and yH = tH . 
Equivalently, {y — t)H = 0. For any x e Z2 with a; ^ wc have 

s 

¥vohH[xH = 0] = Y]yvohH[{xH)i = 0] = 2"", 

where the probability is taken uniform over all binary sxn matrices, and the two 
equalities follow from the fact that the random variables {xH)i for i = 1, . . . , s 
are independent and uniformly distributed. Now the claim follows by taking the 
union bound over all elements in the support: 

Prob[t;t ^ wtn] < Prob[3a; e supp(t;) : a; ^ t A xH = tH] < |S'|2"'' < -. 

Proof of Claim [2] Let b G N[Z2] such that b^ = sub(Ci,a;) for every a; e Zj. 
It suffices to show that b = w^ since hashZ2 returns ■^{b^)tH as can bee seen 
from Line 4, and this is equal to wnt by Lemma [T^ For proving that b = w^, 
we first claim that 1^9 is a homomorphism from N[Z|] to N since, for a,b E N[Z|], 
we have that Lp{a + b) equals 

and Lp{a * b) equals 



(-1)="^" ^ ay^by^ = Y. {-iT^^^ay^ ^ ( - 1 ) ^^^ fe^^ = ^ ( fl ) ^ ( 6) . 



E 



Then, by Observation|6l sub(Ci, a;) returns ^piw). For a S Z[Z2] we have <y9(a) 
(a$)a; so sub(Ci,a;) = {w^)^ and hence b = 11;$. 

Proof of Theorem 1151 

15 



Proof (of Theorem] 15[ a)}. Use Theorem[21 Assume T = {Si, . . . , Sn} and create 
the instance (A, b, iv, t') of Linear Sat where A is the incidence matrix of the 
set system {F, U), b = 1, w,; = \Si\n + I and t' = nm + 1. It is easy to see that 
the algorithm of Theorem [5] returns exactly the number of set partitions of size 
at most t O 

For the second part we will need the following folklore result. 

Theorem 20 (Fast Walsh-Hadamard transform, Folklore) Given a vec- 
tor a G N[Z2], a$ can be computed in time 0{2'^s) and using 0{2^s) operations 
in N. 

Proof (of Theorem\T^b)). Consider the following circuit C over Q[Z™]: 



1,0) ifi=.) = 

if i = and j ^ 



J 



(3) 



y /[i — 1, h\g\i — h\ otherwise, where 

n 

2=1 

For every x e Z™ and non-negative integers i and j, the coefficient /[i,j]a; 
counts the number of ways to choose an i-tuple of sets in S such that their sizes 
sum up to i and their characteristic vectors sum to x in Z™. Thus supp(/[t, tti]) < 
2ik(^)^ Furthermore, /[t, m]i is the number of set partitions of size t times t\. 
Indeed, if a i-tuple of sets from S contributes to /[f, n]i, each element of U must 
occur in a unique set in the t-tuple. It remains to compute (/[t, ri}\)x. For this we 
will use algorithm hashZ2 with s = rk(A), except that wc replace Line 4 with 
the following to compute WtH , where w is the output of Ci : 



4: for every < j < m do 

5: Compute and store h{g[j]) usmg (|4]) 

6: Compute and store h{g[j\)^ using Theorem 1201 

1 rp 

7: return -— > (^1) (ly $) a,, using (l3l) and the stored values to compute the 

OS Z — J 



2= 
aiez 



vector 10$. 



Algorithm 2: Changes to Algorithm [T] to implement Theorem [T5] 



The correctness follows from Claim [T] and the observation that the inversion 
formula from Theorem 1121 is returned on Line 7. Indeed, h is a homomorphism 
and $ is a bijective homomorphism, so Observation[B]enables us to compute w^ 
using (g]). 

To establish the time and space complexity, we observe that Steps 5 and 
6 take (2** + n)™*^'^' time by elementary analysis and Theorem [20l and that 
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Step 7 takes 2'''m'^^^'> time since we can compute w = h{f[t,m]) via ^ in 
0{m^) operations in Q^^ by relying on the stored values h{g[j])^, where each 
operation requires 0{2^s) time by Theorem[2Dl D 

A. 3 Proofs of Section [5] 

This section is dedicated to the proof of Theorem [T51 Instead of a combinatorial 
proof similar to the one of Section [51 wc use the algebraic perspective in this 
proof since we feel it gives a more fundamental insight into the hashing function 
used. To obtain Theorem [161 we prove the following generalization of Lemma [T7l 

Lemma 21 There is an algorithm that, given circuit C over N[(2^,U)] with 
singleton inputs outputting v, and a set family J- ^^P such that supp(t>) C J^ 
computes a list with vx for every X S supp(t>) in 0*{\J-'\'^) time. 

From Lemma 1211 to Theorem 1161 Wc now combine Lemma [21] with the 
iterative compression technique to obtain Theorem 1161 in a way very similar to 
Section [5l Instead of the subformula <j>i from Section [5l we need the following 
notion. 

Definition 22 Given a circuit C over N[(2'^, U)] and X C U, the restriction of 
C to X is the circuit obtained by applying the function h to it, where, for Y C X 

h{v)Y = ^ vw- 

W<ZU:WnX=Y 

Proof (of Theorem \16\) . Assume U = {ei, 62, ... , e„}, and for every i = 0, . . . , n— 
1, let C* be the restriction of C to {ei, . . . , e^} and d* be the output of C". Then, 
since taking restrictions is homomorphic, we have by Observation [Bl that 

WQU:Wn{ei,...,ei}=Y WQU:Wn{ei,...,ei-i}=Y\{ei} 

This implies that if A G supp(t>*), then X \ [ci] e supp(t>'^^) and hence 

supp(t;*) C supp(t;'-i) U {A U {ej : A G supp(7;*-i)}. (5) 

We now describe how to implement the theorem. First note that supp(t>°) = 0. 
For i ~ l,...,n do the following: set 7^' = supp(t>*~^) U {A U {ci} : X € 
supp(t)'^^)}. Then by ([5]), supp(t)') C J^*. Hence, by invoking the algorithm of 
Lemma [21] using C" as the circuit and 7^' as the set family, we can obtain Vx 
for every A e supp(t>') in C'*(|J"'p) time which is C'*((2|supp(w'"^)|)^) time. 
From these values wc can easily obtain the support of v^ . After n steps, wc have 
computed vx ~ v^ for every A 6 supp(t>). The claimed running time follows 
from the fact that |supp(D*~"'^)| < |supp(t;*)| for every i — 1, . . . ,n. D 

The remainder of this section is devoted to the proof of Lemma ^T\ The idea 
is to use the set family J^ to create a poset and homomorphically hash N[(2'^, U)] 
to the so-called Solomon algebra of the poset. We will first recall all necessary 
notions and properties, second introduce the hash function, and third give the 
algorithm implementing Lemma 1211 
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Preliminaries on Mobius inversion and the Solomon algebra Let {P, <) 

be a poset. An element c € P is said to be an upper bound of a set X C P if 
X < c holds for all x G X. The set X is said to have a join in P if there exists 
an upper bound c E P (called the join) of X such that, for all upper bounds d 
of X, it holds that c < d. For X C P, let us write V X for the join of X; for the 
join oi X = {a, b} we write simply aW b. The open interval (x, y) is the poset 
induced by the set {e G P : cc < e < y} C P. We write [x, y), (x, j/] and [x, y\ for 
the analogous (half-)closed interval. 

Let P be a poset. The Mobius function /i:PxP— >NofPis defined for all 
x, 2/ G P by 

{1 if a; = 2/, 

-Ex<3<yAi(a;,z) ifa;<y, (6) 

otherwise. 

The zeta transform C, and Mobius transform fi are the \P\ x |P| matrices defined 
by Cx,y = [x <y] and //a;,.y = fi{x, y) for aU x,y e P. 

The following combinatorial interpretation is particularly useful: 

Theorem 23 (Hall (see [23], Proposition 3.8.5)) For all x,y £ P, ^l{x,y) 
is the number of even chains in {x,y) minus the number of odd chains in {x,y). 

We include a proof for completeness 

Proof. Use induction on the number of elements in the interval (x, y). li x = y, 
(x, y) contains only the empty chain, which is even. If x < j/, group all chains on 
their smallest element y. The contribution of all these chains is exactly —^.{y, z) 
since odd chains are extended to even chains and vice- versa by adding y. D 

It is known that fj, and ^ are mutual inverses. To see this, note that {fJ'C)xy 
can be interpreted as the number of even chains minus the number of odd chains 
in the interval (x, y] which can be seen to be if x ^ y by a pairing argument, 
and 1 otherwise. This principle is called Mobius inversion. 

Definition 24 ([22]) Let (P, <) be a poset. The Solomon algebra N[P] is the 
set N^ equipped with coordinate-wise addition © and the Solomon product ^ 
defined for all f,gG N[P] and z E P by 



x^y^P \x^y<.q<z J 

The following properties of the Solomon algebra will be useful: 
Lemma 25 For every v^, . . .v'' G N[P] and s E P we have 

= E f E M^.s)')n< 

ai,...,afceP \ai,...,ak<r<s I i=l 
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Proof. Use induction of n. For n = 1, the statement clearly holds. Otherwise, 
we have by definition of (g) that 



a--i 



{Induction Hypothesis} 



)vn vt 



- E E ^^i^M E I E M.,-)|n< 

w.ak€.P \w.ak'^r<s j ai,...,ak~iGP \ai,...,ak-.i<q<w 

{Reordering summations} 

( \ 

= E 



E M(^,s)^(q,u;) J|w^^ 



\ai,....afc_i<ij<ji 

{Reordering summations} 



/ 



= E E E M9,w^)U(r,s)n< 

ai ,...,afcGP ai ,...,a/^._i<g Vq^^^^^ / ^—1 

{Mobius inversion} 

= E E b=^]/^(^,s)n< 



ai,...,afcePai,...,afc_i<g 
afc<r 



i=l 



E I E M.,^)in< 

ai,...,afceP \ ai....,afc<(7 



i=l 



Theorem 26 ([22]) T/ie zeta transform is a homomorphism from N[-P] to N^; 
i/iai is, for every f,gE N[P] it holds that (/ © g)C — fC + gC o,^d. (/ ® g)(^ = 

KogC- 
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Proof. For every lu G P we have 

((/ © 9KU = E (/- + -9-) = E /- + E 5- = (/^)- + (aCl^, and 



2<i(; 2:<itJ 2:<uj 



z<w x.,y^P \x,y<q<z j 

= E I-^'' 2^ < 9 < H E ^(9' ^) •^^^^^ 

x,y,qGP \'?^2:<ii' / 

= E [^'^ - HA^5y = I E -^^ 1 I E 5y = ifC)wigC)^ 

x,yGP \x<w /Vy^^ / 
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Lemma 27 ( |22) ) Lei P be a poset with a minimum elem,ent 0. Then, N[P] is 
a commutative ring with the multiplicative identity (l,0). 

Proof. The singleton (l,0) is the muhiphcative identity because 



((l,6)(g)g)^ = E E m(9,^) .9a=5z, 

where the last equality follows from Mobius inversion. To see that N[P] is a 
commutative ring, note that C is an isomorphism from N[P] to the ring N^. 
Indeed, Theorem [26l shows that ^ is a homomorphism, and Cm — mC = I shows 
that ^ is bijective. D 

Lemma 28 For singletons (c, x) ,{d,x) G N[P] it holds that {c,x) O {d,x) = 
{cd, x) . 

Proof. For all z G P, we have that ((c, x) ® {d,x))z equals 



E I E ^^(9' ^M [^ = ^]'^[y = x]d= E Kl, z)cd = [x = z]cd. 

w,yGP \w,y<.q<z J ^^Q^^ 
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The hash function for Lemma 1211 Let U be an n-element set and let {P, <) 

be a poset that satisfies U C P and has a minimum element 0. Define the 
function h : N[{2^ , U)] -^ N[P] by setting, for all a G N[(2'^, U)], 

/i(a)= 0(ax,6)®(g)(l,e). (7) 

xcu eex 

The following two lemmas combined show that the function h is in fact an 
homomorphic hash function: 

Lemma 29 // (P, <) is a poset with minimum element, U C P and v G 
N[(2 , U)] such that every X G supp(t>) has a join in P and for every X,Y G 
supp(v), 

V {{e} -.eeX}^ V{{e} : e S y}, (8) 

then for every X E supp(w), /i(t')v{{e}:eex} = vx- 
Proof Denote y = V{{e} : e £ X}. Then, 

^xcu eex ' V 

{for X ^ supp(t;) we have vx ~ 0} 

(^'x,6)®(g)(l,e)' 
^xesupp(«) eex ^ y 

{Definition of ©} 

= E ((-x,6)®(g)(l,e))^ 

{Applying Lemma [25l denoting X = {ei, . . . , e|x|}} 

Xesupp(i;) ao,...,Q|x|e-P \ao,---,a|x| <9<J/ / ''=1 

{X has a join by assumption since it is in the support} 

XGsupp(i;) \eiV...Ve|x|<g<a 

{Mobius inversion} 

= E [ei V . . . V e|x| = y]wx 

A"Gsupp(i;) 

{By the assumption stated in ([8])} 
= Vx 
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Lemma 30 The mapping h is a homomorphism from N[(2'^,U)] to N[P]. 
Proof. For every v, tt) G 'L[{2^ , U)] we have 

h{v + w)= ^ {vx+ u^x, 6) ® (1, e) 
x<zu eex 

= 0((^'x,6)©(«;x,O))®(g)(l,e}) 
xcu eex 

= ( («x, 6) ® (g) (1, e) ® (zwx, 6) (g) (1, e) 
A'ca ^ eex eex 

= (t'x,6)®(g)(l,e) © (z«x,6)®(g)(l,e) 
yxcLf eex J \X(1U eex 

= /i(v) ®h{w). 



h{v * u;) = ((t; * t(;)x, 6) ® (g) (1, e) 

xcc/ eex 

{Definition of multiplication in N[(2^, U)]} 

= 0( E vvww,0)®l^{l,e) 
xcu ^vuw=x ' eex 

{By definition of ©} 

= («y«^w,6)®(g)(l,e) 
xcuvuw=x eex 

{By Lemma [5S] and commutativity of O from Lemma 1271} 

= K«^M/,6)®(g)(l,e}® (g)(l,e) 

xcc/vuw=x eey eew 

{Using that V and VF determine X} 

= (wvu'w,6)«)(g)(l,e)® (g) (l,e) 

v.wcu eev eew 

{ By Lemma [281} 

= ((«v,6)®(«;H/,6))®(g)(l,e)®(g) (l,e) 

v,VFc;7 eey eew 

{ By distributivity from Lemma 1271} 

{vx,Q)®<^{l.e)\ ® {vx,Q)®(^{l,e) 
yXCU eex J \x(iu eex 

h{v) (S)h{w). 



22 



The algorithm for Lemma l21l We arc now ready to give the proof of LemmaHTJ 
As mentioned before, the proof idea is to construct a poset P from the given set 
family and hash the given circuit to a circuit C" over the Solomon algebra N[P] 
with the homomorphic hash function h. Then by Theorem [21] and Lemma 1301 
the zeta-transform of the output of C" can be computed fast using point-wise 
multiplication, and then using Mobius inversion the original output can be com- 
puted. Because of the hash property from Lemma |29I of h, the required output 
of C can then be read from the output of C". 

Proof (of Lemma \21\). We start by giving the algorithm. We assume without 
loss of generality that e J". 



Algorithm find(C,J^) 
1: Construct the poset P = {T, C). 

2: Construct the circuit Ci over ^[P] obtained from C by applying h. 
3: for every x £ P do 
4: Wx ■<— sub(Ci,a::). 
5: return mobius(P, ly) 

Algorithm sub(Ci,a;) 

6: Construct the circuit C2 over N obtained from Ci by applying i^a: : e ^-^■ ^ 
7: Evaluate C2 and return the output. 

Algorithm mobius((P, <), ty) 



8: 


Let P = {vi ,V2 ■ . ■ ,v\p\} such that Vi < Vi implies i > j 


9: 


z <— w. 


10: 


for i = 1,2, ...,|P| do 


11: 


for every Vj < ih do 


12: 


Zi = Zi- Zj 


13: 


return z. 



The algorithm is Algorithm find. Let us first analyse the complexity. Recall 
that to establish the claimed bounds we assume that each operation in N takes 
one time unit. Step 1 can easily be implemented in OdJ-"!) time. Step 2 expands 
every singleton (of N[(2^,U)]) in C according to dZ]) into a product of at most 
n + 1 singletons of N[P], and thus can be implemented in time and storage 
0{n\C\). Step 6 can be implemented in time and space 0(|Ci|) because the 
singleton e = {v,y) is mapped to [y < x]v. In Step 7, the evaluation of C2 over 
N uses IC2I operations in N. The complexity of algorithm mobius is easily seen 
to be C*(|J^p), and since the loop at Step 3 is the only other time-consuming 
part the resource bounds are clearly met. 

We proceed with the proof of correctness of Algorithm f ind. First note that 
since supp(tj) C J^, we have by construction that for every X ~ {ei, . . . ,e^x\} ^ 
supp(t»), V{{ei}, . . . , {e|x|}} = X, since every other upper bound in P on 
{{ei}, . . . , {e|x|}} must be above the element X of P. This directly implies 
that the requirement imposed by ([8]) is met by P. Hence by Lemma [29] we have 
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that /i(i')v{{e}:eex} = vx for every X e supp(i>). Thus to prove correctness it 
suffices to show that the vector w^ is equal to h{v). 

Since /i is a homoniorphism by Lemma [501 ObservationlHliniphes that C^ out- 
puts h{v). Then, we claim that for every .t G P it holds that Wx = sub(Ci,x) = 
{h{v)C)x- To see this note that on Line 7 first the zeta transform is applied to Ci 
which is a homomorphism to N^ by Theorem I26[ and then we restrict to the co- 
ordinate X. The claim than follows by Observation [5] since both transformations 
are homomorphisms. 

Finally, since w^ = {h{v)(^)x, we know that {wfi) = h{v). The lemma then 
follows since it is easy to see that mobius(P, w) = wfi. D 

Proof of Theorem I16l (b^ The proof of Item (b) is fairly similar to the proof 
of Item (a). The main difference is the use of the poset P. In this section, we 
will use a poset larger than the support of v, but the advantages are that 

1. we not need to construct the poset using Iterative compression, and hence 
we do not need to determine all components of v, 

2. the poset will be decomposable, implying that the bottleneck in (a), the 
Mobius inversion step, can be improved. 

Let us now start with the more formal treatment. Given two posets (P, <p) 
and (Q, <q), the direct product PxQ is the poset on the set {{p, q) : p £ P hq € 
Q} such that {pi,qi) < (^2,92) if Pi <p P2 and qi <q 52- 

Lemma 31 (see [23], Proposition 3.8.2) Let P and Q be posets and let fj,p 
and ^Q denote their respective Mobius functions. Denote fJ-pxQ o,nd < for the 
Mobius function and order of P x Q, then for (pi, qi) < (p2, 92) it holds that 

MPxQ((pi,gi),(P2,g2)) = Aip(pi,P2 )mq (91,92 )• 



ere is an 



Lemma 32 (^27j, "Yates' algorithm") Given a vector v G N^ , th 
algorithm that computes the vector v/j, in 0{2'^'\U\) time. 

We will also need the following small modification of Yates' algorithm: 

Lemma 33 There is an algorithm that, given a poset P C 2 ordered by set 
inclusion and containing and U , computes a table with /i(0, S) and /i(S', U) for 
every S G P in 0{\P\ ■ \U\) time and space 

Proof. In this proof [i] denotes the set {1, . . .,i} for an integer i. Let U ~ [n]. 
We first define g : [n] — >■ N by letting 

(1 ifS'=-0, 

g{S) = < yj —giY) otherwise. 
YeP 

KYCS 
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It is easy to see that g{S) = /^(0, S). Also, define for every i = 1, . . . , n: 

' 1 if i == and 5 = 

MS) = {-[Se P]giS) if i = and 5 y^ 

J,_i(5) + [ie S]f,^i{S \ ^) otherwise. 

Then it holds that g{S) = fn{S) for every S C U. Note that by symmetry 
(that is, reversing the order of the poset), this procedure can be used as well to 
compute fi{S, U) for every 5 G P in the same time bounds. D 

Lemma 34 There is an algorithm that, given an integer s and a circuit C with 
singleton inputs in N[(2'^, U)] outputting v, computes vjj in time 

Proof. Assume U = {ei, 62, . . . , e„}, and let C* be the restriction of C to Us = 
{ei, . . . , Cs} and v" be the output of C*. 

Claim 3 There is an algorithm computing supp(t>*) in 0*{2^n^^') time. 

Proof. By Theorem[26l C is a homomorphism from N[P] to N''^. Hence, similarly 
as in the proof of Theorem I16f a). we can compute v*C in time polynomial in 
the input size. Then the claim follows directly by applying Lemma \n\ D 

Now the algorithm is as follows 



Algorithm find2(C) 
1: Obtain supp(i;'') using Claim|3] 

2: Let P' = (supp(i;°), C) and Q = (2^"^^% C) and construct the poset P = P' x Q. 
3: Construct the circuit Ci over N[P] obtained from C by applying the homomorphism 

h as defined in ((7|). 
4: for every x £ P do 
5: Wx ■<— sub(Ci,a::). 

6: Compute /i(0, x) for every x £ P' using Lemma [33] 
7: return E.=(Xi,x,)6P '^-M^i' t^=)(-l)"''^''''^'''' 



The arguments for the correctness of this algorithm are all similar to the 
arguments of for the correctness of Algorithm f ind2: first note that supp(i') C 
{Xi UX2 : Xi e P' AX2 ^ Q}. This in turn implies the condition of Lemma [29l 
and hence if v' is the output of C^ we indeed have that v'jj = vu • As shown before 
in the proof of Lemma [21] sub(Ci, cc) = {v'C)x. Hence it remains the show that 
on Line 7 the expression is indeed the Mobius inversion formula. This follows 
from the definition of fi, the direct product property of the Mobius function 
from Lemma [31] and the fact that in the subset lattice iJ,{X,Y) = {~iy^'^^\ for 
X CY. 
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For the running time of the above algorithm, note that Line 1 takes C'*(2'*n'-'^^^ 
time. For Line 2, we have \P'\ < |supp(t>)| and |Q| = 2"^^*, and hence |P| < 
|supp(t>)|2"-". Thus, Lines 2-5 take C'*(|supp(t;)|2"-''n'^(i)) time. Line 6 takes 
C'*(2''n'-'(^') time, and using these values, Line 7 can be performed in time at 
most C'*(|supp(v)|2"-"n'^(i)) . D 

Given Lemma [331 the only thing left to prove Theorem [TCT b) is to solve the 
technical issue that a is not given: 

Proof (of Theorem \16Y b)). Simultaneously try all integers < s < n/2, and 
for every s run the algorithm of Lemma 1341 Terminate whenever any of these 
algorithms terminates. This procedure runs in time 

0*{ min max{2Msupp(0,)|2"-^n'^(i)}) <C'*(2(i-"/2)«)^ 

0<s<n/2 

where the inequality is achieved by taking s = [(1 — a/2)n\. O 
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